--- /dev/null
+From shuahkh@osg.samsung.com Mon Feb 5 09:59:48 2018
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Mon, 5 Feb 2018 10:45:56 -0700
+Subject: usbip: fix 3eee23c3ec14 tcp_socket address still in the status file
+To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org
+Cc: Shuah Khan <shuahkh@osg.samsung.com>, ebiggers3@gmail.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org
+Message-ID: <920dbeada86c864f5280c363188125481399d109.1517852038.git.shuahkh@osg.samsung.com>
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+Commit 3eee23c3ec14 ("usbip: prevent vhci_hcd driver from leaking a
+socket pointer address") backported the following commit from mailine.
+However, backport error caused the tcp_socket address to still leak.
+
+commit 2f2d0088eb93 ("usbip: prevent vhci_hcd driver from leaking a
+socket pointer address")
+
+When a client has a USB device attached over IP, the vhci_hcd driver is
+locally leaking a socket pointer address via the
+
+/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
+output when "usbip --debug port" is run.
+
+Fix it to not leak. The socket pointer address is not used at the moment
+and it was made visible as a convenient way to find IP address from
+socket pointer address by looking up /proc/net/{tcp,tcp6}.
+
+As this opens a security hole, the fix replaces socket pointer address
+with sockfd.
+
+Reported-by: Eric Biggers <ebiggers3@gmail.com>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vhci_sysfs.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/usbip/vhci_sysfs.c
++++ b/drivers/usb/usbip/vhci_sysfs.c
+@@ -53,7 +53,7 @@ static ssize_t status_show(struct device
+ * a security hole, the change is made to use sockfd instead.
+ */
+ out += sprintf(out,
+- "prt sta spd bus dev sockfd local_busid\n");
++ "prt sta spd dev sockfd local_busid\n");
+
+ for (i = 0; i < VHCI_NPORTS; i++) {
+ struct vhci_device *vdev = port_to_vdev(i);
+@@ -64,12 +64,11 @@ static ssize_t status_show(struct device
+ if (vdev->ud.status == VDEV_ST_USED) {
+ out += sprintf(out, "%03u %08x ",
+ vdev->speed, vdev->devid);
+- out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
+- out += sprintf(out, "%06u", vdev->ud.sockfd);
++ out += sprintf(out, "%06u ", vdev->ud.sockfd);
+ out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
+
+ } else
+- out += sprintf(out, "000 000 000 000000 0-0");
++ out += sprintf(out, "000 00000000 000000 0-0");
+
+ out += sprintf(out, "\n");
+ spin_unlock(&vdev->ud.lock);
--- /dev/null
+From shuahkh@osg.samsung.com Mon Feb 5 09:59:31 2018
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Mon, 5 Feb 2018 10:45:55 -0700
+Subject: usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit
+To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org
+Cc: Shuah Khan <shuahkh@osg.samsung.com>, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org
+Message-ID: <8a118955998e8b3d101b8105f786cee354256d41.1517852038.git.shuahkh@osg.samsung.com>
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+Upstream commit 1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed
+support")
+
+vhci_hcd clears all the bits port_status bits instead of clearing
+just the USB_PORT_STAT_POWER bit when it handles ClearPortFeature:
+USB_PORT_FEAT_POWER. This causes vhci_hcd attach to fail in a bad
+state, leaving device unusable by the client. The device is still
+attached and however client can't use it.
+
+The problem was fixed as part of larger change to add USB3 Super Speed
+support.
+
+This patch isolates the one line fix to clear the USB_PORT_STAT_POWER
+from the original patch.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vhci_hcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -285,7 +285,7 @@ static int vhci_hub_control(struct usb_h
+ case USB_PORT_FEAT_POWER:
+ usbip_dbg_vhci_rh(
+ " ClearPortFeature: USB_PORT_FEAT_POWER\n");
+- dum->port_status[rhport] = 0;
++ dum->port_status[rhport] &= ~USB_PORT_STAT_POWER;
+ dum->resuming = 0;
+ break;
+ case USB_PORT_FEAT_C_RESET:
projects / thirdparty / kernel / stable-queue.git / commitdiff
